[prev in list] [next in list] [prev in thread] [next in thread] 

List:       maradns-list
Subject:    Re: Spam; MaraDNS' features
From:       e8mhpsznamq001 () sneakemail ! com
Date:       2002-02-20 8:14:13
[Download RAW message or body]

[Snip. The problems with private black lists]

As it turns out, MaraDNS is an offender with regard to private black
lists; MaraDNS has a feature which allows the DNS server to refuse to
query machines with certain IP addresses or on certain subnets.  In the
default confiuration files, two sets of DNS servers which I know to be DNS
servers for spam-friendly interests are blacklisted.

As a result, everyone who installs MaraDNS and uses the default 
configuration will blacklist these particular DNS servers (by IP, no 
less).  Even if both ISPs reform, each and every MaraDNS user will have
to update their configuration files.  

> My goal is to have an authoritative, non-recursive, DNS server which can
> simultaneously handle a high query rate (2000+ per second) as well as a
> high update rate (2+ per second).

MaraDNS is designed to have a next-to-zero update rate; I make changes to
zone files about one a month, if even the frequently.  As a result MaraDNS 
needs to be restarted and is a bit slow loading zone files; it takes her 
a minute or two to load 350,000 resource records.  MaraDNS does not even 
have support for using the HUP signal to relad the zone file; MaraDNS 
needs to be killed and restarted.

On the other hand, MaraDNS is, as it turns out, the fastest authoritative 
DNS server out there; she is about 3 times as fast as DjbDNS and twice as 
fast as BIND.  This is not accidental; I designed the internal data 
structures to need as little conversion as possible from raw UDP DNS 
packets; getting a given RR is essentially a hash lookup and sewing the 
records together in to the outgoing DNS packet.  Yes, the structures do 
support round robin rotation; I could probably speed things up by 
removing round robin support.

The only DNS server I know of that can handle fast updates is DjbDNS; you 
have pointed out some of the problems with this particular approach.

The way to handle fast updates and fast response rates using "off the
shelf" programs is to have a fast recursive DNS server in front of a
tinydns server; the recursive server will cache data from the tinydns
server.

The current data structure of the authoritative DNS server is designed to
be static; in particular, each element in the aothoritative structure
which has a corresponding A record (NS, MX, and CNAME records) directly
points to the memory address of the A record.  The cache data, of course,
is designed a little differently so that it can handle elements being
removed and added constantly; however elements in the cache do have the
corresponding A records.  They are still legal DNS packets, of course.

The data structures are described in quite some detail in the 
doc/en/source/data_structures.ej document; to view this file, look at it 
using an HTML browser (e.g. 'lynx -force-html -dump data_structures.ej | 
less'), or use the ej2txt utility ('../../../tools/ej/ej2txt 
data_structures.ej | less').  Remove linefeeds in the single quoted UNIX 
commands.

- Sam

[prev in list] [next in list] [prev in thread] [next in thread]